Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
164s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2023, 20:45
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
03898b462c7e29a415cdd67c4a4bced4.exe
Resource
win7-20231215-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
03898b462c7e29a415cdd67c4a4bced4.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
03898b462c7e29a415cdd67c4a4bced4.exe
-
Size
755KB
-
MD5
03898b462c7e29a415cdd67c4a4bced4
-
SHA1
9f4e817867c4d753e418a2cb84b04c773f4560a8
-
SHA256
bdeb1037e795b667e1b0f0b0136a34a7c0d5fab25c5d5935b182dd8886cd10d5
-
SHA512
c905a4c7d48eeb27a4da37271865f5a8e2fbfcd784c82d924e94ab559c2feae69130cee985f6a21ba4abaf4d6bbedf40a0524e92a1eef04d4f916b96f10c91aa
-
SSDEEP
12288:ypq6C/2OGAtkCP4cejGSOpRK3CnIiv78:yp8/2+ttPJLfpRK3CnHD8
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe system3_.exe" 03898b462c7e29a415cdd67c4a4bced4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "C:\\Users\\Admin\\Desktop\\system3_.exe" 03898b462c7e29a415cdd67c4a4bced4.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\h: 03898b462c7e29a415cdd67c4a4bced4.exe File opened (read-only) \??\i: 03898b462c7e29a415cdd67c4a4bced4.exe File opened (read-only) \??\k: 03898b462c7e29a415cdd67c4a4bced4.exe File opened (read-only) \??\n: 03898b462c7e29a415cdd67c4a4bced4.exe File opened (read-only) \??\o: 03898b462c7e29a415cdd67c4a4bced4.exe File opened (read-only) \??\x: 03898b462c7e29a415cdd67c4a4bced4.exe File opened (read-only) \??\y: 03898b462c7e29a415cdd67c4a4bced4.exe File opened (read-only) \??\b: 03898b462c7e29a415cdd67c4a4bced4.exe File opened (read-only) \??\j: 03898b462c7e29a415cdd67c4a4bced4.exe File opened (read-only) \??\m: 03898b462c7e29a415cdd67c4a4bced4.exe File opened (read-only) \??\q: 03898b462c7e29a415cdd67c4a4bced4.exe File opened (read-only) \??\r: 03898b462c7e29a415cdd67c4a4bced4.exe File opened (read-only) \??\s: 03898b462c7e29a415cdd67c4a4bced4.exe File opened (read-only) \??\v: 03898b462c7e29a415cdd67c4a4bced4.exe File opened (read-only) \??\w: 03898b462c7e29a415cdd67c4a4bced4.exe File opened (read-only) \??\z: 03898b462c7e29a415cdd67c4a4bced4.exe File opened (read-only) \??\g: 03898b462c7e29a415cdd67c4a4bced4.exe File opened (read-only) \??\p: 03898b462c7e29a415cdd67c4a4bced4.exe File opened (read-only) \??\t: 03898b462c7e29a415cdd67c4a4bced4.exe File opened (read-only) \??\a: 03898b462c7e29a415cdd67c4a4bced4.exe File opened (read-only) \??\e: 03898b462c7e29a415cdd67c4a4bced4.exe File opened (read-only) \??\l: 03898b462c7e29a415cdd67c4a4bced4.exe File opened (read-only) \??\u: 03898b462c7e29a415cdd67c4a4bced4.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4348-0-0x0000000000400000-0x00000000004D5000-memory.dmp autoit_exe behavioral2/files/0x000500000001e715-10.dat autoit_exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created \??\d:\autorun.inf 03898b462c7e29a415cdd67c4a4bced4.exe File created \??\f:\autorun.inf 03898b462c7e29a415cdd67c4a4bced4.exe File opened for modification F:\\autorun.inf 03898b462c7e29a415cdd67c4a4bced4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.mydreamworld.50webs.com" 03898b462c7e29a415cdd67c4a4bced4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://www.mydreamworld.50webs.com" 03898b462c7e29a415cdd67c4a4bced4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Page = "http://www.mydreamworld.50webs.com" 03898b462c7e29a415cdd67c4a4bced4.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main 03898b462c7e29a415cdd67c4a4bced4.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main 03898b462c7e29a415cdd67c4a4bced4.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.mydreamworld.50webs.com" 03898b462c7e29a415cdd67c4a4bced4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.mydreamworld.50webs.com" 03898b462c7e29a415cdd67c4a4bced4.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe 4348 03898b462c7e29a415cdd67c4a4bced4.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 4348 wrote to memory of 1916 4348 03898b462c7e29a415cdd67c4a4bced4.exe 93 PID 4348 wrote to memory of 1916 4348 03898b462c7e29a415cdd67c4a4bced4.exe 93 PID 4348 wrote to memory of 1916 4348 03898b462c7e29a415cdd67c4a4bced4.exe 93 PID 1916 wrote to memory of 1452 1916 cmd.exe 95 PID 1916 wrote to memory of 1452 1916 cmd.exe 95 PID 1916 wrote to memory of 1452 1916 cmd.exe 95 PID 4348 wrote to memory of 1784 4348 03898b462c7e29a415cdd67c4a4bced4.exe 97 PID 4348 wrote to memory of 1784 4348 03898b462c7e29a415cdd67c4a4bced4.exe 97 PID 4348 wrote to memory of 1784 4348 03898b462c7e29a415cdd67c4a4bced4.exe 97 PID 1784 wrote to memory of 2628 1784 cmd.exe 99 PID 1784 wrote to memory of 2628 1784 cmd.exe 99 PID 1784 wrote to memory of 2628 1784 cmd.exe 99 PID 4348 wrote to memory of 2568 4348 03898b462c7e29a415cdd67c4a4bced4.exe 103 PID 4348 wrote to memory of 2568 4348 03898b462c7e29a415cdd67c4a4bced4.exe 103 PID 4348 wrote to memory of 2568 4348 03898b462c7e29a415cdd67c4a4bced4.exe 103 PID 2568 wrote to memory of 3288 2568 cmd.exe 105 PID 2568 wrote to memory of 3288 2568 cmd.exe 105 PID 2568 wrote to memory of 3288 2568 cmd.exe 105 PID 4348 wrote to memory of 4812 4348 03898b462c7e29a415cdd67c4a4bced4.exe 106 PID 4348 wrote to memory of 4812 4348 03898b462c7e29a415cdd67c4a4bced4.exe 106 PID 4348 wrote to memory of 4812 4348 03898b462c7e29a415cdd67c4a4bced4.exe 106 PID 4812 wrote to memory of 4652 4812 cmd.exe 108 PID 4812 wrote to memory of 4652 4812 cmd.exe 108 PID 4812 wrote to memory of 4652 4812 cmd.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\03898b462c7e29a415cdd67c4a4bced4.exe"C:\Users\Admin\AppData\Local\Temp\03898b462c7e29a415cdd67c4a4bced4.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes2⤵
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\at.exeAT /delete /yes3⤵PID:1452
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Users\Admin\Desktop\system3_.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Users\Admin\Desktop\system3_.exe3⤵PID:2628
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C cacls "C:\system volume information" /e /g "Admin":f2⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\cacls.execacls "C:\system volume information" /e /g "Admin":f3⤵PID:3288
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C cacls "C:\system volume information" /e /g "Admin":f2⤵
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\cacls.execacls "C:\system volume information" /e /g "Admin":f3⤵PID:4652
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102B
MD5948c74cd98911b420ff89dac13399bcb
SHA176dfc73518f003953923b1b4f2b973f4bb56a411
SHA25694a1ac3d574425ec8a3cc01675e4d787373d2a190dddd4f8ba507c49ca3fd42a
SHA512b31d82ede9d48e390a50a9dcf5c4c607c62638e8bc56f473250f9a56b7967d5de948abed69bbb2c35eb0112288faa5c438316b06ccbb36d289e93952b30e2ede
-
Filesize
755KB
MD503898b462c7e29a415cdd67c4a4bced4
SHA19f4e817867c4d753e418a2cb84b04c773f4560a8
SHA256bdeb1037e795b667e1b0f0b0136a34a7c0d5fab25c5d5935b182dd8886cd10d5
SHA512c905a4c7d48eeb27a4da37271865f5a8e2fbfcd784c82d924e94ab559c2feae69130cee985f6a21ba4abaf4d6bbedf40a0524e92a1eef04d4f916b96f10c91aa